On 9/10/21 9:20 AM, Daniil Kirilyuk wrote:
We're developing a java application, which should authenticate users against
both LDAP and custom formatted files containing user information. Both
username/password and certificate authentication are planned to be supported.
Our application should run mainly on RHEL. We were estimating the possibility
to use SSSD for this purpose. After some investigation it seems, that SSSD can
be called from java code only via D-Bus. It also seems, that it can be used
mainly for fetching user information. but not for authentication.
E.g. for fetching user by uid:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName
string:<UID>
For retrieving user groups:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID>
orgfreedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User
string:groups
For retrieving some extra attributes (after adding them to sssd.conf);
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID> orgfreedesktop.DBus.Properties.Get
string:org.freedesktop.sssd.infopipe.Users.User string:"extraAttributes"
Somewhat promising looks method FindByNameAndCertificate:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe/Users
org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate string:<UID>
string:<PEM_CERT>
But as far as I understand, FindByNameAndCertificate just compares string
representation of a pem certificate and is far from client certificate
authentication.
Do I understand correctly, that at the moment there is no possibility to
perform user authentication via D-Bus API through SSSD in LDAP? Or am I missing
something?
Hi, you are correct. At this moment SSSD does not provide any
authentication mechanism through D-Bus. Authentication is provided only
though PAM modules pam_sss.so and pam_sss_gss.so (for gssapi
authenticaiton).
Also even though we do have support for users and groups over D-Bus,
depending on your use case it might be better to use system calls that
goes through nsswitch.conf (like getpwnam/getgrnam; I'm not sure what
are their Java counterparts)-
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
